patrickceg/wstg419.txt

## wstg419.txt
This is my scratchpad for https://github.com/OWASP/wstg/issues/419

Location of the article in question https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel.md

Summary all in all looks good, but we should reference https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.md#httponly-attribute


--------------------------
Questions:
- HTTP in 2020? : Needs research

Technical:
- Wireshark?: Not really needed since you can point a mobile device at a proxy
- Browser debugging console?: Yes

--------------------------
Existing article:

Summary
* What is testing for credentials transport
* Link to insufficient cipher strength

How to test:
* What it looks like when HTTP
* What it looks like while HTTPS

Grey-box testing which is more "remediation"

--------------------------
Article changes:

1. Summary:
* Keep original frontmatter
* Links: insufficient cipher strength, unsecured cookie

2. How to test:
* Notes about proxy or browser in debug mode
* Log in normally, verify proxy / debugger mentions HTTPS for both the response and the reply
* Attempt to forced browse to HTTP login page
* Use OWASP ZAP or other tool to play a login request with HTTP and that should fail.

(Can use a test Jenkins server)

3. Rename Grey-Box Testing as Remediation

4. Check over the newest template and verify / change the naming of sections as needed

--------------------------

Plan for testing:

* Set up Linux VM (probably OpenSUSE because it's the laziest to install with)
* Natively install some web thingie with both http and https
* Use my "router"'s CA to create the SSL cert
* Hopefully everything is doable through a browser in Dev mode

--------------------------

Testing:

docker run --rm -p 8080:3000 bkimminich/juice-shop

Another possibility is HTTPS with MediaWiki https://www.mediawiki.org/wiki/Manual:$wgCookieSecure


My not so secret credentials for this
I'm keeping this in a public note because even if you do get my Juice Shop you will be in a
DMZ with the only other thing in there being an IPS and a Kali so I get to see what you're
up to :)

testuser@example.com
My33@Credential

Mother's maiden name: Alice

--------------------------

It looks like Juice Shop will work for my example.

I'll capture the following cases:

HTTPS Login
Accessing a page with HTTPS

Test fail example: Force browsing to HTTP and logging in
Test fail example: Logging in, then force browsing to HTTP and the browser still submits the session token

To avoid too many examples, I'll just cite other places where you can have problems:

* Any use of HTTP the "I forgot my password" procedure

Looks like "copy request headers" and "copy response headers" from Firefox in debug mode are more than enough.
No ZAP or other tooling should be needed.

Example of an HTTP login:

Headers

POST /rest/user/login HTTP/1.1
Host: site-under.test:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site-under.test:8080/
Content-Type: application/json
Content-Length: 61
Connection: keep-alive
Cookie: language=en; io=bag_X60oTf4pi6VvAAAB; welcomebanner_status=dismiss; cookieconsent_status=dismiss

POST data

{"email":"testuser@example.com","password":"My33@Credential"}

Response headers

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment 'self'
Content-Type: application/json; charset=utf-8
Content-Length: 838
ETag: W/"346-Rr3NPnTL2JfPYKLbUtWoPfbKuoU"
Vary: Accept-Encoding
Date: Wed, 19 Aug 2020 02:43:14 GMT
Connection: keep-alive

Request headers HTTP
GET /rest/user/whoami HTTP/1.1
Host: site-under.test:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site-under.test:8080/
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTgsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0dXNlckBleGFtcGxlLmNvbSIsInBhc3N3b3JkIjoiZTFkN2E3N2M4NWZhNjc5YTE3N2E4MDM2YTg4NzM2OWMiLCJyb2xlIjoiY3VzdG9tZXIiLCJkZWx1eGVUb2tlbiI6IiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6Ii9hc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE1OTc4MDQ5OTUsImV4cCI6MTU5NzgyMjk5NX0.UdY6zSuqTus1r5fN_YKrInaLpuFzVm0Sb8c_dSk-C87ER9cGy14pE_Q_iwep95YinNtI_VdF0jfe2JR-EWmpFVPE-WJjyzlO1n7AYfwJjwAyXFb5sB-ddWTA3s93xBz-zGH7oKCAuaJxZAN_BK_RDE0zBQY82FSGWDGFGExm0lU
Connection: keep-alive
Cookie: language=en; io=bag_X60oTf4pi6VvAAAB; welcomebanner_status=dismiss; cookieconsent_status=dismiss; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTgsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0dXNlckBleGFtcGxlLmNvbSIsInBhc3N3b3JkIjoiZTFkN2E3N2M4NWZhNjc5YTE3N2E4MDM2YTg4NzM2OWMiLCJyb2xlIjoiY3VzdG9tZXIiLCJkZWx1eGVUb2tlbiI6IiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6Ii9hc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE1OTc4MDQ5OTUsImV4cCI6MTU5NzgyMjk5NX0.UdY6zSuqTus1r5fN_YKrInaLpuFzVm0Sb8c_dSk-C87ER9cGy14pE_Q_iwep95YinNtI_VdF0jfe2JR-EWmpFVPE-WJjyzlO1n7AYfwJjwAyXFb5sB-ddWTA3s93xBz-zGH7oKCAuaJxZAN_BK_RDE0zBQY82FSGWDGFGExm0lU
If-None-Match: W/"b-/5bSboVjVhGw3qRgvUfZjE1r1Ns"

--------------------------

Docker nginx HTTPS

https://docs.docker.com/network/bridge/

https://nginx.org/en/docs/http/configuring_https_servers.html

server {
    listen              443 ssl;
    server_name         site-under-test;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1.3;
    return 301 https://site-under-test;
}

server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {

    listen 443;
    server_name site-under-test;

    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    ssl on;
    ssl_protocols  TLSv1.3;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/jenkins.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://jenkins:8080;
      proxy_read_timeout  90;

      proxy_redirect      http://jenkins:8080 https://site-under.test;
    }
  }

https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins

docker network create jenkins-net

docker run --rm --name my-nginx --network jenkins-net --publish 443:443 --publish 80:80 --mount 'type=bind,src=/opt/nginx/nginx.conf,dst=/etc/nginx/nginx.conf,readonly' --mount 'type=bind,src=/opt/nginx/test-site.crt,dst=/etc/nginx/cert.crt,readonly' --mount 'type=bind,src=/opt/nginx/private.key,dst=/etc/nginx/cert.key,readonly' nginx

docker run --rm --network jenkins-net --name jenkins jenkins/jenkins:jdk11

--------------------------

Random Internet guides used:

https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/
https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates
https://thomas-leister.de/en/how-to-import-ca-root-certificate/


--------------------------

Verification against task description: OK

--------------------------

Verification against contributer guide template

Summary
Test Objectives - Added
How to Test
Remediation

--------------------------

TODO: Read

--------------------------

Verification against contributer guide style guide
	This is my scratchpad for https://github.com/OWASP/wstg/issues/419

	Location of the article in question https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel.md

	Summary all in all looks good, but we should reference https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.md#httponly-attribute



	--------------------------
	Questions:
	- HTTP in 2020? : Needs research

	Technical:
	- Wireshark?: Not really needed since you can point a mobile device at a proxy
	- Browser debugging console?: Yes

	--------------------------
	Existing article:

	Summary
	* What is testing for credentials transport
	* Link to insufficient cipher strength

	How to test:
	* What it looks like when HTTP
	* What it looks like while HTTPS

	Grey-box testing which is more "remediation"

	--------------------------
	Article changes:

	1. Summary:
	* Keep original frontmatter
	* Links: insufficient cipher strength, unsecured cookie

	2. How to test:
	* Notes about proxy or browser in debug mode
	* Log in normally, verify proxy / debugger mentions HTTPS for both the response and the reply
	* Attempt to forced browse to HTTP login page
	* Use OWASP ZAP or other tool to play a login request with HTTP and that should fail.

	(Can use a test Jenkins server)

	3. Rename Grey-Box Testing as Remediation

	4. Check over the newest template and verify / change the naming of sections as needed

	--------------------------

	Plan for testing:

	* Set up Linux VM (probably OpenSUSE because it's the laziest to install with)
	* Natively install some web thingie with both http and https
	* Use my "router"'s CA to create the SSL cert
	* Hopefully everything is doable through a browser in Dev mode

	--------------------------

	Testing:

	docker run --rm -p 8080:3000 bkimminich/juice-shop

	Another possibility is HTTPS with MediaWiki https://www.mediawiki.org/wiki/Manual:$wgCookieSecure


	My not so secret credentials for this
	I'm keeping this in a public note because even if you do get my Juice Shop you will be in a
	DMZ with the only other thing in there being an IPS and a Kali so I get to see what you're
	up to :)

	testuser@example.com
	My33@Credential

	Mother's maiden name: Alice

	--------------------------

	It looks like Juice Shop will work for my example.

	I'll capture the following cases:

	HTTPS Login
	Accessing a page with HTTPS

	Test fail example: Force browsing to HTTP and logging in
	Test fail example: Logging in, then force browsing to HTTP and the browser still submits the session token

	To avoid too many examples, I'll just cite other places where you can have problems:

	* Any use of HTTP the "I forgot my password" procedure

	Looks like "copy request headers" and "copy response headers" from Firefox in debug mode are more than enough.
	No ZAP or other tooling should be needed.

	Example of an HTTP login:

	Headers

	POST /rest/user/login HTTP/1.1
	Host: site-under.test:8080
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
	Accept: application/json, text/plain, /
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://site-under.test:8080/
	Content-Type: application/json
	Content-Length: 61
	Connection: keep-alive
	Cookie: language=en; io=bag_X60oTf4pi6VvAAAB; welcomebanner_status=dismiss; cookieconsent_status=dismiss

	POST data

	{"email":"testuser@example.com","password":"My33@Credential"}

	Response headers

	HTTP/1.1 200 OK
	Access-Control-Allow-Origin: *
	X-Content-Type-Options: nosniff
	X-Frame-Options: SAMEORIGIN
	Feature-Policy: payment 'self'
	Content-Type: application/json; charset=utf-8
	Content-Length: 838
	ETag: W/"346-Rr3NPnTL2JfPYKLbUtWoPfbKuoU"
	Vary: Accept-Encoding
	Date: Wed, 19 Aug 2020 02:43:14 GMT
	Connection: keep-alive

	Request headers HTTP
	GET /rest/user/whoami HTTP/1.1
	Host: site-under.test:8080
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
	Accept: application/json, text/plain, /
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://site-under.test:8080/
	Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTgsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0dXNlckBleGFtcGxlLmNvbSIsInBhc3N3b3JkIjoiZTFkN2E3N2M4NWZhNjc5YTE3N2E4MDM2YTg4NzM2OWMiLCJyb2xlIjoiY3VzdG9tZXIiLCJkZWx1eGVUb2tlbiI6IiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6Ii9hc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE1OTc4MDQ5OTUsImV4cCI6MTU5NzgyMjk5NX0.UdY6zSuqTus1r5fN_YKrInaLpuFzVm0Sb8c_dSk-C87ER9cGy14pE_Q_iwep95YinNtI_VdF0jfe2JR-EWmpFVPE-WJjyzlO1n7AYfwJjwAyXFb5sB-ddWTA3s93xBz-zGH7oKCAuaJxZAN_BK_RDE0zBQY82FSGWDGFGExm0lU
	Connection: keep-alive
	Cookie: language=en; io=bag_X60oTf4pi6VvAAAB; welcomebanner_status=dismiss; cookieconsent_status=dismiss; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTgsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ0ZXN0dXNlckBleGFtcGxlLmNvbSIsInBhc3N3b3JkIjoiZTFkN2E3N2M4NWZhNjc5YTE3N2E4MDM2YTg4NzM2OWMiLCJyb2xlIjoiY3VzdG9tZXIiLCJkZWx1eGVUb2tlbiI6IiIsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6Ii9hc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHQuc3ZnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDIwLTA4LTE5IDAyOjQyOjU4LjA3MiArMDA6MDAiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE1OTc4MDQ5OTUsImV4cCI6MTU5NzgyMjk5NX0.UdY6zSuqTus1r5fN_YKrInaLpuFzVm0Sb8c_dSk-C87ER9cGy14pE_Q_iwep95YinNtI_VdF0jfe2JR-EWmpFVPE-WJjyzlO1n7AYfwJjwAyXFb5sB-ddWTA3s93xBz-zGH7oKCAuaJxZAN_BK_RDE0zBQY82FSGWDGFGExm0lU
	If-None-Match: W/"b-/5bSboVjVhGw3qRgvUfZjE1r1Ns"

	--------------------------

	Docker nginx HTTPS

	https://docs.docker.com/network/bridge/

	https://nginx.org/en/docs/http/configuring_https_servers.html

	server {
	listen 443 ssl;
	server_name site-under-test;
	ssl_certificate www.example.com.crt;
	ssl_certificate_key www.example.com.key;
	ssl_protocols TLSv1.3;
	return 301 https://site-under-test;
	}

	server {
	listen 80;
	return 301 https://$host$request_uri;
	}

	server {

	listen 443;
	server_name site-under-test;

	ssl_certificate /etc/nginx/cert.crt;
	ssl_certificate_key /etc/nginx/cert.key;

	ssl on;
	ssl_protocols TLSv1.3;
	ssl_prefer_server_ciphers on;

	access_log /var/log/nginx/jenkins.access.log;

	location / {

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;

	# Fix the “It appears that your reverse proxy set up is broken" error.
	proxy_pass http://jenkins:8080;
	proxy_read_timeout 90;

	proxy_redirect http://jenkins:8080 https://site-under.test;
	}
	}

	https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins

	docker network create jenkins-net

	docker run --rm --name my-nginx --network jenkins-net --publish 443:443 --publish 80:80 --mount 'type=bind,src=/opt/nginx/nginx.conf,dst=/etc/nginx/nginx.conf,readonly' --mount 'type=bind,src=/opt/nginx/test-site.crt,dst=/etc/nginx/cert.crt,readonly' --mount 'type=bind,src=/opt/nginx/private.key,dst=/etc/nginx/cert.key,readonly' nginx

	docker run --rm --network jenkins-net --name jenkins jenkins/jenkins:jdk11

	--------------------------

	Random Internet guides used:

	https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/
	https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates
	https://thomas-leister.de/en/how-to-import-ca-root-certificate/


	--------------------------

	Verification against task description: OK

	--------------------------

	Verification against contributer guide template

	Summary
	Test Objectives - Added
	How to Test
	Remediation

	--------------------------

	TODO: Read

	--------------------------

	Verification against contributer guide style guide